Remove HTTPS control
Hi,
I have an issue when I try to connect to HTTPS site: "Connexion is not secured
Owner have badly configured their web site, etc etc "
With IE and Chrome no issue. I know that my issue is due to my entreprise firewall replacing certificat by its own, leading Firefox to block the connexion. My question is to know if there is a way to deactivate this control in config parameters?
Thanks in advance for your support Rman31
Chosen solution
OCSP hos no impact but.... security.enterprise_roots.enabled is working!!!!
Thank you so much for your assistance.
Have a good day Rman31
Read this answer in context 👍 1All Replies (3)
I suspect the page was already visited in Firefox on a connection that doesn't employ a man-in-the-middle attack (because that's what the enterprise firewall is doing). There is this security feature called OCSP, where information about server TLS/SSL certificates is distributed. Firefox consults this information for further validation of certificates. It might help your cause if you disable it via the configuration key security.OCSP.enabled.
Another security feature is HSTS (HTTP Strict Transport Security), which tells browsers to never connect via unsecure connection. As a result, the tampered connection the enterprise firewall is employing would be blocked. HSTS cannot be turned off. You have to make Firefox forget about it by creating a new profile.
Please let me note that the enterprise firewall behavior is very fishy. You shouldn't need to tamper with the secure connections and you certainly shouldn't follow the advice above and turn off OCSP. Rather, I encourage you to seek a different solution which secures your goals while not sacrificing browser security. For example, you could block all HTTPS traffic, while allowing only certain targets.
Try to contact your IT department and ask them how you can install the root certificate in the Firefox Certificate Manager to make it possible for Firefox to build a valid certificate chain.
You can also try to set this pref to true on the about:config page.
- security.enterprise_roots.enabled = true
You can open the about:config page via the location/address bar. You can accept the warning and click "I accept the risk!" to continue.
Modified
Chosen Solution
OCSP hos no impact but.... security.enterprise_roots.enabled is working!!!!
Thank you so much for your assistance.
Have a good day Rman31